Anomaly Detection

A transaction monitoring system at a mid-sized bank generates 15,000 alerts per month. Fewer than 200 are genuine. The rest are false positives that consume analyst hours without producing intelligence. Anomaly detection is the capability that separates the signal from the noise, and getting the threshold right determines whether a compliance function is effective or merely busy.

What is anomaly detection?

Anomaly detection identifies data points, transactions, behaviours, or patterns that deviate significantly from what is expected. In financial services, it underpins fraud detection, anti-money laundering monitoring, market surveillance, and operational risk management. The core question is always the same: is this observation normal for this context, or does it warrant investigation?

The challenge is defining "normal." A 50,000-pound wire transfer is anomalous for a retail customer who typically moves hundreds. It is routine for a corporate treasurer managing payroll. Context-dependent baselines are what distinguish useful anomaly detection from noise generators. Static threshold rules ("flag anything above X") produce volume. Behavioural baselines ("flag anything that deviates from this customer's established pattern by more than Y standard deviations") produce intelligence.

Three technical approaches dominate. Statistical methods model the expected distribution and flag observations in the tails. Machine learning methods learn complex patterns of normal behaviour and score new observations by how much they deviate. Rule-based methods encode expert knowledge about known anomaly patterns. Production systems typically combine all three, using rules to catch known patterns, ML to detect novel ones, and statistical methods to calibrate confidence.

The landscape

Regulators increasingly expect risk-based, rather than rules-based, transaction monitoring. The FCA has signalled that static threshold rules alone are insufficient for AML transaction monitoring, particularly for detecting sophisticated money laundering typologies. This regulatory direction favours anomaly detection systems that learn customer behaviour and assess transactions in context.

The volume of data requiring monitoring is growing faster than the analyst population. Real-time payment systems, open banking data feeds, and digital channel interactions generate transaction volumes that manual review cannot absorb. The PRA's SS1/23 requires that models used for anomaly detection, like all models, are subject to ongoing monitoring and validation. Faster Payments processes over 4 billion transactions annually in the UK alone. Anomaly detection systems must operate at this scale with sub-second latency for payment fraud use cases.

Cross-channel anomaly detection is emerging. A customer's behaviour across mobile banking, branch visits, call centre interactions, and online transactions forms a composite pattern. An anomaly in one channel, a sudden increase in high-value transfers following an unusual call centre interaction, may not be visible in single-channel monitoring. The technical challenge is aggregating behavioural data across channels in real time, which requires event-streaming architecture and a unified customer view.

How AI changes this

Adaptive baselines replace static thresholds. ML-based anomaly detection systems build behavioural profiles for each customer, account, or entity, and update these profiles continuously. The baseline adapts as the customer's legitimate behaviour changes (a new job, a house purchase, a seasonal business cycle), reducing false positives without reducing detection of genuinely anomalous activity. Institutions that have deployed adaptive baselines report 40 to 60 per cent reductions in false positive alerts.

Graph-based anomaly detection identifies suspicious patterns in relationships between entities. A network of accounts that individually appear normal but collectively exhibit coordinated behaviour (rapid fund cycling, layering, structuring) is detectable only when the relationships are analysed together. This is particularly valuable for mule account detection and trade-based money laundering, where the anomaly exists in the network, not in any single transaction.

Multimodal anomaly detection combines transaction data, text data (customer communications, complaints), and behavioural data (session patterns, device fingerprints) to produce a richer anomaly signal. A customer whose transaction pattern is normal but whose communication patterns suggest distress or coercion may be a victim of APP fraud. Detecting this requires NLP capabilities integrated with transaction monitoring, which is technically feasible but organisationally challenging.

What to know before you start

The false positive rate is the metric that determines operational viability. A system that catches 99 per cent of genuine anomalies but generates 50,000 false positives per month is unusable. Optimise for the ratio of genuine anomalies to total alerts (the precision), not just the detection rate (the recall). In practice, you are trading off between catching more genuine cases and generating more noise. Define the acceptable trade-off with your operations team before deployment, not after.

Data quality determines anomaly detection accuracy. If customer records are duplicated, transactions are miscategorised, or timestamps are inconsistent, the system cannot build reliable baselines. Dirty data creates false baselines, which create false anomalies, which create false alerts. Clean the data before deploying the model.

Explainability matters for every flagged anomaly. An analyst reviewing an alert needs to understand why the system flagged it. "This transaction is anomalous" is not actionable. "This transaction is 4.2 standard deviations above this customer's typical transfer amount, to a new payee, in a jurisdiction the customer has never transacted with" is actionable. Design your system to produce human-readable explanations for every alert.

Start with the use case that has the highest false positive rate. If your AML transaction monitoring generates 95 per cent false positives, an ML-based anomaly detection layer that reduces that to 50 per cent halves your investigation workload without changing your detection rules. This is the lowest-risk, highest-ROI entry point, and it builds the data and infrastructure foundation for more ambitious applications.